Fortinet recently disclosed a critical vulnerability in Fortinet Wireless Manager (FortiWLM) that enables remote attackers to execute unauthorized commands or code through specially crafted web requests.
This vulnerability, tracked as CVE-2023-34990, has a severity rating of 9.8 and poses a significant risk to users in critical sectors such as government, healthcare, education, and large enterprises.
The Vulnerability: CVE-2023-34990
CVE-2023-34990 is a relative path traversal flaw caused by improper input validation in the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint.
By exploiting this flaw, unauthenticated attackers can manipulate the imagename parameter when the op_type is set to upgradelogs.
This allows attackers to read sensitive log files on the system.
These logs often contain administrator session IDs, which attackers can use to hijack admin sessions and gain privileged access.
According to Horizon3 researcher Zach Hanley, this exploitation is made easier by FortiWLM’s verbose logging, which includes the session IDs of authenticated users.
Hanley explained:
"Abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system. With these verbose logs, an attacker can retrieve session IDs to hijack authenticated sessions and abuse other endpoints."
Affected Versions and Timeline
The vulnerability impacts FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4. Discovered by Zach Hanley in May 2023, the flaw remained unpatched for 10 months despite being reported to Fortinet.
Hanley publicly disclosed the vulnerability, along with a proof-of-concept (POC), on March 14, 2024, in a technical writeup.
Although Fortinet addressed the issue in FortiWLM versions 8.6.6 and 8.5.5, released at the end of September 2023, the absence of a CVE ID and a formal security bulletin meant that users were largely unaware of the risk.
Fortinet finally issued a security bulletin on December 18, 2024, nine months after Hanley's public disclosure.
The Impact of the Flaw
Given its deployment in critical environments, FortiWLM is a high-value target for attackers. Successful exploitation of this flaw could result in:
-
Hijacked admin sessions, granting attackers privileged access.
-
Network-wide disruptions.
-
Exposure of sensitive data.
The vulnerability effectively served as a zero-day for roughly four months, leaving users vulnerable until a fix was implemented and communicated.
Recommended Actions
Fortinet strongly urges administrators of FortiWLM to update to secure versions (8.6.6 or 8.5.5) immediately.
Applying updates promptly is critical to mitigating risks and ensuring the security of wireless networks.
Admins are also encouraged to monitor Fortinet’s security bulletins regularly and implement best practices for securing network devices.
With FortiWLM’s importance in managing wireless infrastructure, timely updates are essential to prevent potential exploits.
